[31964] in North American Network Operators' Group
Exodus NOC phone number?
daemon@ATHENA.MIT.EDU (Mathew Butler)
Thu Nov 2 00:25:58 2000
Message-ID: <F062E72E4BA2D4119F1700B0D03D205F395E@MAIL>
From: Mathew Butler <mbutler@tonbu.com>
To: "'nanog@merit.edu'" <nanog@merit.edu>
Date: Wed, 1 Nov 2000 21:16:25 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C0448C.0C3D0650"
Errors-To: owner-nanog-outgoing@merit.edu
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C0448C.0C3D0650
Content-Type: text/plain;
charset="iso-8859-1"
Does anyone have the Exodus NOC phone number? (Or who I'm supposed to talk
to in this situation?):
I got a spam mail on AOL, with a link to a decimal IP (the exact link in
question is: http://3626046468//nv/zawixmecwhcxejb ). After figuring out
the dotted-decimal notation for it (216.33.20.4), I did a whois on arin for
that. Turns out it belongs to Exodus, and there's an additional field for
rwhois info. I got the rwhois info, and it shows that it belongs to
WhoWhere.
So I get curious, and go to the URL in question (speaking raw HTTP, as I am
wont to do when checking out spam links)... it redirects me to an
angelfire.com address. (A transcript is below:
$ telnet 216.33.20.4 80
Trying 216.33.20.4...
Connected to 216.33.20.4.
Escape character is '^]'.
GET //nv/zawixmecwhcxejb HTTP/1.1
Host: 3626046468
User-Agent: SecurityBreachDetected/1.0b2
HTTP/1.1 301 Moved Permanently
Date: Thu, 02 Nov 2000 05:19:15 GMT
Server: Apache/1.3.9 (Unix) FrontPage/4.0.4.3
Set-Cookie: CookieStatus=COOKIE_OK; path=/; domain=angelfire.lycos.com;
expires=
Fri, 02-Nov-2001 05:19:15 GMT
Location: http://www.angelfire.com//nv/zawixmecwhcxejb/
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
f9
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>301 Moved Permanently</TITLE>
</HEAD><BODY>
<H1>Moved Permanently</H1>
The document has moved <A
HREF="http://www.angelfire.com//nv/zawixmecwhcxejb/">h
ere</A>.<P>
</BODY></HTML>
0
Connection closed by foreign host.
$
)
So, I need to inform someone that they need to inform someone that their
server's being used for something it's not supposed to be.
Thanks for any help!
-Mat Butler
Systems Engineer
Tonbu, Inc
------_=_NextPart_001_01C0448C.0C3D0650
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>Exodus NOC phone number?</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2 FACE=3D"Arial">Does anyone have the Exodus NOC phone =
number? (Or who I'm supposed to talk to in this =
situation?):</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">I got a spam mail on AOL, with a link =
to a decimal IP (the exact link in question is: <A =
HREF=3D"http://3626046468//nv/zawixmecwhcxejb" =
TARGET=3D"_blank">http://3626046468//nv/zawixmecwhcxejb</A> ). =
After figuring out the dotted-decimal notation for it (216.33.20.4), I =
did a whois on arin for that. Turns out it belongs to Exodus, and =
there's an additional field for rwhois info. I got the rwhois =
info, and it shows that it belongs to WhoWhere.</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Arial">So I get curious, and go to the URL in =
question (speaking raw HTTP, as I am wont to do when checking out spam =
links)... it redirects me to an angelfire.com address. (A =
transcript is below:</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Arial">$ telnet 216.33.20.4 80</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Trying 216.33.20.4...</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Connected to 216.33.20.4.</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Escape character is '^]'.</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">GET //nv/zawixmecwhcxejb =
HTTP/1.1</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Host: 3626046468</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">User-Agent: =
SecurityBreachDetected/1.0b2</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">HTTP/1.1 301 Moved Permanently</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Date: Thu, 02 Nov 2000 05:19:15 =
GMT</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Server: Apache/1.3.9 (Unix) =
FrontPage/4.0.4.3</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Set-Cookie: CookieStatus=3DCOOKIE_OK; =
path=3D/; domain=3Dangelfire.lycos.com; expires=3D</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Fri, 02-Nov-2001 05:19:15 GMT</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Location: <A =
HREF=3D"http://www.angelfire.com//nv/zawixmecwhcxejb/" =
TARGET=3D"_blank">http://www.angelfire.com//nv/zawixmecwhcxejb/</A></FON=
T>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Connection: close</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Transfer-Encoding: chunked</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Content-Type: text/html</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">f9</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial"><!DOCTYPE HTML PUBLIC =
"-//IETF//DTD HTML 2.0//EN"></FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial"><HTML><HEAD></FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial"><TITLE>301 Moved =
Permanently</TITLE></FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial"></HEAD><BODY></FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial"><H1>Moved =
Permanently</H1></FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">The document has moved <A =
HREF=3D"<A HREF=3D"http://www.angelfire.com//nv/zawixmecwhcxejb/" =
TARGET=3D"_blank">http://www.angelfire.com//nv/zawixmecwhcxejb/</A>"=
;>h</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">ere</A>.<P></FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial"></BODY></HTML></FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">0</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">Connection closed by foreign =
host.</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">$</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">)</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">So, I need to inform someone that they =
need to inform someone that their server's being used for something =
it's not supposed to be.</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Arial">Thanks for any help!</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">-Mat Butler</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Systems Engineer</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Tonbu, Inc</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C0448C.0C3D0650--
